Cybersecurity vulnerability analysis of medical devices purchased by national health services

The growing integration of software within medical devices introduces the potential for cybersecurity threats. How significant is this risk, and to what extent are citizens currently exposed? In this study, we adopt a new data-gathering methodology using datasets provided in Open Contracting Data Standard (OCDS). This allowed us to perform an extensive analysis across over 36 countries within a 12-year range, searching 92 million public administration purchase records for potentially vulnerable medical devices. The findings reveal a concerning landscape wherein numerous medical devices purchased by national health services possessed or still possess 661 distinct vulnerabilities—more than half of which are deemed critical or high-severity. These vulnerabilities enable relatively simple attacks to impact data confidentiality, integrity, and accessibility severely. Even if patches were applied immediately upon discovery, these vulnerabilities would still result in roughly 3.2 years of system exposure from the time a device is purchased until a software vulnerability is announced, with all classes of devices affected, including high-risk IIB and III devices which accounts for 74% of instances. While a full analysis requires interactivity, this noninvasive methodology enables a large-scale study, emphasizing the need to move faster from the safety to the security of medical devices.